b'                                                           IG-01-043\n\n\n\n\nAUDIT\n                            INFORMATION TECHNOLOGY SECURITY\nREPORT                       REQUIREMENTS IN NASA CONTRACTS,\n                           GRANTS, AND COOPERATIVE AGREEMENTS\n\n                                      September 28, 2001\n\n\n\n\n                           OFFICE OF INSPECTOR GENERAL\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, contact the Acting Assistant Inspector General\nfor Audits at (202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html.\n\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Acting Assistant Inspector\nGeneral for Audits. Ideas and requests can also be mailed to:\n\n     Assistant Inspector General for Audits\n     Code W\n     NASA Headquarters\n     Washington, DC 20546-0001\n\n\n\nNASA Hotline\n\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at (800)\n424-9183, (800) 535-8134 (TDD), or at www.hq.nasa.gov/office/oig/hq/hotline.html#form\nor write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant Plaza Station,\nWashington, DC 20026. The identity of each writer and caller can be kept confidential,\nupon request, to the extent permitted by law.\n\n\nReader Survey\n\nPlease complete the reader survey at the end of this report or at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html\n\n\nAcronyms\n\n\nFAQ            Frequently Asked Questions\nFAR            Federal Acquisition Regulation\nGISRA          Government Information Security Reform Act\nIT             Information Technology\nOMB            Office of Management and Budget\nPIC            Procurement Information Circular\n\x0cW                                                                       September 28, 2001\n\n\n\n\nTO:              A/Administrator\n\nFROM:            W/Inspector General\n\nSUBJECT:          INFORMATION: Information Technology Security Requirements in\n                  NASA Contracts, Grants, and Cooperative Agreements\n                   Report Number IG-01-043\n\n\nThe NASA Office of Inspector General has completed an audit of NASA compliance\nwith the Government Information Security Reform Act (GISRA) requirement to integrate\ninformation technology (IT) security into contracts (that include purchase orders), grants,\nand cooperative agreements. We found that the Agency has identified contracts subject\nto the requirements and was making progress in incorporating IT security requirements\ninto contracts at two of the three Centers1 reviewed. However, Marshall had made\nconsiderably less progress than the other two Centers. Further, NASA had not included\nthe applicable security requirements in its purchase orders, grants, and cooperative\nagreements. As a result, the Agency lacks reasonable assurance of complying with\nGISRA requirements, and NASA\xe2\x80\x99s systems and information may be subject to additional\nsecurity risks\n\nBackground\n\nGISRA requires agencies to integrate IT security into contracts, grants, and cooperative\nagreements. In July 2000, the Agency directed Centers to identify contracts subject to IT\nsecurity requirements and modify applicable contracts with an IT security clause\nprescribed by the NASA Federal Acquisition Regulation (FAR) Supplement. Centers\nwere to complete the identification and modification of applicable contracts by\nDecember 31, 2000.\n\n\n\n\n1\n  The three Centers were Goddard Space Flight Center (Goddard), Lyndon B. Johnson Space Center\n(Johnson), and George C. Marshall Space Flight Center (Marshall).\n\x0c                                                                                        2\n\nRecommendations\n\nWe made three recommendations related to the incorporation of IT security requirements\ninto applicable NASA contracts, grants, and cooperative agreements. Specifically, we\nrecommended that NASA establish controls and timeframes to ensure that the Centers\nproperly identify contracts subject to the IT security clause and modify the contracts to\nincorporate the clause, where appropriate. This will help NASA identify all applicable\ncontracts in accordance with GISRA. We also recommended that NASA direct the\nCenters to include purchase orders, grants, and cooperative agreements in their IT\nsecurity reviews. Finally, we recommended that NASA comply with GISRA by\nincorporating IT security requirements in purchase orders, grants, and cooperative\nagreements, where appropriate. These actions will help NASA comply with GISRA and\nincorporate IT security in its applicable contracts, grants, and cooperative agreements.\n\nManagement\xe2\x80\x99s Response and OIG Evaluation\n\nManagement concurred with all three recommendations. Management revised the NASA\nFAR Supplement, which clarified guidance related to identification, control,\nmodification, and timeframes for implementation of the IT security clause. In addition,\nmanagement stated it would monitor the Centers\xe2\x80\x99 progress in reviewing and\nimplementing the clause. Further, management stated it would emphasize to the Centers\nthat they must review cooperative agreements and purchase orders. Finally, management\nwill issue guidance to review any grants valued at $100,000 or more and that do not\nexpire before March 30, 2002.\n\nManagement\xe2\x80\x99s actions are responsive to the recommendations. Details on the status of\nthe recommendations are in the findings section of the report.\n\n\n\n[original signed by]\nRoberta L. Gross\n\nEnclosure\nFinal Report on Audit of Information Technology\n Security Requirements in NASA Contracts, Grants, and Cooperative Agreements\n\x0cINFORMATION TECHNOLOGY SECURITY REQUIREMENTS IN\n     NASA CONTRACTS, GRANTS AND COOPERATIVE\n                  AGREEMENTS\n\x0cW                                                                  September 28, 2001\n\n\nTO:            H/Associate Administrator for Procurement\n\nFROM:          W/Assistant Inspector General for Audits\n\nSUBJECT:       Final Report on Audit of Information Technology Security\n               Requirements in NASA Contracts, Grants, and Cooperative Agreements\n               Assignment Number A-01-036-00\n               Report Number IG-01-043\n\n\nEnclosed please find the subject final report. Please refer to the Executive Summary for\nthe overall audit results. Our evaluation of your response has been incorporated into the\nbody of the report. Your comments on a draft of this report were responsive to the\nrecommendations. The recommendations will remain open for reporting purposes until\ncorrective action is completed. Please notify us when action has been completed on the\nrecommendations.\n\nWe appreciate the courtesies extended to the audit staff. If you have questions\nconcerning the report please contact Mr. David L. Gandrud, Program Director,\nInformation Technology Program Audits, at (650) 604-2672, or Mr. Roger W. Flann,\nProgram Manager, at (818) 354-9755. See Appendix C for the report distribution.\n\n\n\n\n[original signed by]\nAlan J. Lamoreaux\n\n\nEnclosure\n\x0c                                                     2\n\ncc:\nAB/Associate Deputy Administrator for Institutions\nAO/Chief Information Officer\nB/Acting Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nG/General Counsel\nJM/Director, Management Assessment Division\n\x0cContents\n\nExecutive Summary, i\n\nIntroduction, 1\n\nFindings and Recommendations, 2\n\n      Finding A. IT Security Clause in Contracts, 2\n\n      Finding B. IT Security Requirements in Purchase Orders, Grants, and Cooperative\n                   Agreements, 5\n\nAppendix A - Objectives, Scope, and Methodology, 8\n\nAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response, 10\n\nAppendix C \xe2\x80\x93 Report Distribution, 15\n\x0c                               NASA Office of Inspector General\n\nIG-01-043                                                                        September 28, 2001\n A-01-036-00\n\n                 Information Technology Security Requirements in\n                NASA Contracts, Grants, and Cooperative Agreements\n\n                                          Executive Summary\n\nBackground. On October 30, 2000, the President signed into law the fiscal year 2001\nDefense Authorization Act (Public Law 106-398), including Title X, subtitle G,\n\xe2\x80\x9cGovernment Information Security Reform\xe2\x80\x9d (the Security Reform Act, or GISRA). GISRA\nprimarily addresses the program management and evaluation aspects of security.\nSpecifically, GISRA requires agencies to perform annual program reviews. GISRA also\nrequires Inspectors General to perform annual security evaluations and to annually report the\nresults of reviews to OMB. 2\n\nObjectives. Our audit objectives were to determine whether NASA contracts reference\napplicable IT security requirements of GISRA, contain performance metrics requirements for\nIT security, and consider IT security in award fee plans. Specifically, we determined\nwhether NASA had included IT security requirements, performance metrics, and award fee\nplans in its contracts, purchase orders, grants, and cooperative agreements. Details of our\nobjectives, scope, and methodology are in Appendix A.\n\nResults of Audit. Generally, NASA has identified contracts subject to the requirements and\nwas making progress in incorporating IT security requirements into contracts at two of the\nthree Centers reviewed. However, Marshall made considerably less progress than the other\ntwo Centers (Finding A). Further, NASA had not included the applicable IT security\nrequirements in its purchase orders, grants, and cooperative agreements. Until NASA\nincorporates IT security requirements into all applicable acquisition instruments, the Agency\nlacks reasonable assurance of complying with GISRA requirements, and NASA\xe2\x80\x99s systems\nand information may be subject to additional security risks (Finding B).\n\nNASA included IT security performance metrics in contracts and considered IT security in\naward fee plans, where appropriate, at the three Centers we reviewed. Regarding\nperformance metrics, NASA used an IT security clause to impose GISRA requirements on\napplicable contractors. Contracts that included the IT security clause referenced IT security\nperformance metrics. We did not review the adequacy of the IT security performance\nmetrics. Regarding contracts with award fee plans, NASA contracts provide for\nconsideration of IT security violations when determining award fees.\n\nRecommendations. NASA should establish controls and timeframes to ensure that the\nCenters properly identify contracts subject to the IT security clause and modify the contracts\n\n2\n    GISRA became effective on November 29, 2000, and expires 2 years after that date.\n\x0cto incorporate the clause, where appropriate. Also, NASA should direct the Centers to\ninclude purchase orders, grants, and cooperative agreements in their IT security reviews.\nFinally, NASA should comply with GISRA by incorporating IT security requirements in\npurchase orders, grants, and cooperative agreements, where appropriate.\n\nManagement\xe2\x80\x99s Response. Management concurred with the report\xe2\x80\x99s recommendations.\nManagement revised the NASA FAR Supplement, which clarified guidance related to\nidentification, control, modification, and timeframes for implementation of the IT security\nclause. In addition, management stated it would monitor the Centers\xe2\x80\x99 progress in reviewing\nand implementing the clause. Further, management stated it will emphasize that cooperative\nagreements and purchase orders must also be reviewed and will issue guidance to review any\ngrants valued at more than $100,000 or more that will continue beyond the next 6 months.\n\nEvaluation of Management\xe2\x80\x99s Response. We consider management\xe2\x80\x99s comments responsive\nto the recommendations.\n\n\n\n\n                                              ii\n\x0cIntroduction\n\nOMB\xe2\x80\x99s \xe2\x80\x9cGuidance on Implementing the Government Information Security Reform Act\xe2\x80\x9d (M-\n01-08, January 16, 2001) required all Federal agencies to include contractors in their IT\nsecurity implementation plan. Specifically the guidance states, \xe2\x80\x9c . . . the Security Act\nincludes contractor systems. The Clinger-Cohen Act3 definition of information technology\nincludes technology \'used by the agency directly or is used by a contractor under contract to\nthe agency . . .\'\xe2\x80\x9d The guidance further states that GISRA essentially codified existing\nrequirements of OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\nInformation Resources,\xe2\x80\x9d which required Government agencies and their contractors to\nprovide adequate security for information collected, processed, transmitted, stored, or\ndisseminated.\n\nOn July 14, 2000, NASA issued Procurement Information Circular (PIC) 00-12, "IT Security\nRequirements for Unclassified Information Technology Resources; Existing and New\nContracts and Subcontracts." PIC 00-25, same title, superceded PIC 00-12 on November 29,\n2000.4 The PIC\xe2\x80\x99s require contracting officers to \xe2\x80\x9c. . . modify all existing solicitations and\ncontracts involving unclassified information technology (IT) resources to incorporate NFS\n[NASA FAR Supplement] clause 1852.204-76 where appropriate.\xe2\x80\x9d The clause requires\nNASA vendors to comply with the IT security requirements of NASA Policy Directive\n2810.1, \xe2\x80\x9cSecurity of Information Technology,\xe2\x80\x9d dated October 1, 1998, and NASA\nProcedures and Guidelines 2810.1, same title, dated August 26, 1999, which together\nrepresent NASA\xe2\x80\x99s guidance for implementing OMB Circular A-130, Appendix III.\nAccording to PIC 00-12 and PIC 00-25, the contracting officer was to \xe2\x80\x9c. . . consult with the\nrequiring organization for assistance in identifying applicable contracts and solicitations, and\nthe extent to which the clause is applicable to all or a segment of the statement of work\nrequirements.\xe2\x80\x9d The PIC\xe2\x80\x99s also require the contracting officers to incorporate these changes\ninto the appropriate contracts by December 31, 2000.\n\n\n\n\n3\n  In 1996, Congress enacted the Clinger-Cohen Act to improve the way Federal agencies acquire and manage\nIT resources.\n4\n  PIC 00-25 clarified the applicability of the IT security clause contained in PIC 00-12.\n\x0cFindings and Recommendations\n\nFinding A. IT Security Clause in Contracts\n\nAs of May 2001, 5 months after NASA\xe2\x80\x99s deadline for incorporating the IT security clause\ninto all applicable contracts, Goddard, Johnson, and Marshall were still negotiating IT\nsecurity requirements with some vendors. Goddard had almost completed and Johnson had\ncompleted reviews to identify contracts subject to the clause and were making progress in\nincorporating the clause in their applicable contracts. However, Marshall had completed the\nreview process for only 36 (18 percent) of its 202 contracts. Marshall\xe2\x80\x99s delay can be\nattributed to inadequate controls over the Center\xe2\x80\x99s actions to implement the PIC requirements\nand to other workload priorities. Until NASA includes the security clause in all applicable\ncontracts, the Agency lacks assurance that it meets GISRA requirements, and NASA systems\nand information may be subject to additional security risks.\n\nAgency Policies and Procedures\n\nNASA PIC\xe2\x80\x99s 00-12 and 00-25 require contracting officers to incorporate NASA FAR\nSupplement 1852.204-76, also known as the IT security clause, into contracts where\napplicable. The IT security clause requires contractors to comply with NASA Policy\nGuidance 2810.1, which is NASA\'s implementing guidance for OMB Circular A-130,\nAppendix III. PIC 00-12 established deadlines of August 15, 2000, for conducting reviews\nto identify applicable contracts, and December 31, 2000, for incorporating the clause in the\ncontracts. The PIC\xe2\x80\x99s require the Centers to report their progress to the Principal Center IT\nSecurity Manager each month.5\n\nCenter Implementation of PIC 00-25\n\nThe status of actions taken by the three Centers in implementing PIC 00-25 as of May 2001,\nis shown in Table 1:\n\n                          Table 1. Implementation of PIC 00-25\n                                                 Goddard           Johnson          Marshall\nTotal Contracts                                       297              147             202\nContracts Reviewed                                    294              147              36\nPercentage of Contracts Reviewed                       99              100              18\nContacts Not Reviewed                                   3                0             166\nContracts Reviewed that Are Subject to the             92               45              20\nSecurity Clause\nContracts with Clause Incorporated                     22               39               8\nContracts Pending Clause Incorporation                 70                6              12\n\n\n\nNeed for Controls at Marshall to Implement PIC-00-25. As indicated in the table,\nMarshall had reviewed only about 18 percent of its contracts and was in the process of\n\n5\n    NASA designated Ames Research Center as its Principal Center for IT Security.\n\n                                                       2\n\x0cmodifying 12 of the 20 contracts that it found to be subject to the clause. Marshall\xe2\x80\x99s delays\nin implementing PIC 00-12 and PIC 00-25 related to management\xe2\x80\x99s lack of controls to\nensure that the Center complied with PIC requirements. For example, procurement officials\nhad not coordinated with the Center IT Security Manager until March 2001 to identify\ncontracts subject to the clause. In addition, Marshall officials told us that workload priorities\ncontributed to the Center\xe2\x80\x99s delay in identifying all contracts subject to the IT security clause.\nAs of May 2001, Marshall had taken no action to review 166 contracts.\n\nReliance on Centers\' Implementation. NASA Office of the Chief Information Officer and\nthe Headquarters Office of Procurement representatives indicated that they relied on the\nCenters to implement PIC 00-12 and PIC 00-25 guidance. Although NASA established\ncontrols to track implementation of the applicable contracts after the Centers identified the\ncontracts, NASA had no formal controls to ensure that the Centers identified all contracts\nsubject to the clause. As a result, the NASA Office of the Chief Information Officer and\nOffice of Procurement were not aware that Marshall was far behind in identifying the\napplicable contracts.\n\nConclusion\n\nUntil NASA establishes appropriate management controls, the Agency cannot be assured that\nthe Centers will identify all contracts subject to the IT security clause and that the Agency\ncomplies with GISRA requirements. Further, NASA systems or information may be subject\nto additional security risks.\n\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of Response\n\n1. The Associate Administrator, Office of Procurement, in coordination with the Chief\n   Information Officer, should establish controls and timeframes to ensure that the\n   Centers properly identify contracts subject to the IT security clause and modify the\n   contracts to include the clause, where appropriate.\n\nManagement\xe2\x80\x99s Response. Concur. Management stated that it had issued new guidance to\nimplement IT security requirements (NASA issued new guidance after audit field work).\nManagement revised various segments of the NASA FAR Supplement including 1804.470-1,\n1804.470-2, 1804.470-3, 1804.470-4, and 1852.204-76. NASA also issued PIC-01-17 with\nguidance on implementing the NASA FAR Supplement clause and related requirements.\nThe PIC addresses the OIG Recommendation. In addition, NASA\xe2\x80\x99s Office of Procurement\nwill monitor the Centers\xe2\x80\x99 progress in reviewing existing contracts\n\n\n\n\n                                                3\n\x0cand implementing the clause, where applicable, to assure that all Centers systematically\nprogress in meeting the completion date of December 31, 2001. The complete text of NASA\nHeadquarters response is in Appendix B.\n\nEvaluation of Response. The actions taken by NASA are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open\nuntil agreed-to corrective actions are completed.\n\n\n\n\n                                           4\n\x0cFinding B. IT Security Requirements in Purchase Orders, Grants, and\nCooperative Agreements\n\nThe three Centers we reviewed had not included IT security requirements in applicable\npurchase orders, grants, and cooperative agreements. This condition occurred because\nNASA did not require the Centers to specifically review purchase orders to determine\nwhether they were subject to the security clause or to include the IT security clause in grants.\nAlso, NASA did not clarify the Agency\xe2\x80\x99s position regarding the applicability of the clause to\ncooperative agreements. Until NASA includes security requirements, as applicable, in all of\nits procurement instruments, it lacks assurance that its purchase orders, grants, and\ncooperative agreements comply with GISRA requirements, and NASA systems and\ninformation may be subject to additional security risks.\n\nPolicies and Procedures\n\nGISRA Requirements. GISRA requires Government agencies to comply with the IT\nsecurity provisions established in OMB Circular A-130, Appendix III. GISRA also applies\nto contractors who develop or maintain Government-owned information. Because OMB\nguidance did not address the applicability of GISRA to grants and cooperative agreements,\nwe asked OMB for clarification regarding the applicability issue. In June 2001, OMB\nprovided a written response stating that IT security provisions apply to contracts (which\ninclude purchase orders) and to grants and cooperative agreements when those instruments\nuse Government resources (such as information, IT, or other equipment, personnel or other\nassets). OMB also stated that if a Government program official oversees the grantee, such as\nto assess whether the grant is returning any benefits, or to prevent fraud, waste, or abuse of\npublic funds, then the Government has the authority and responsibility to demand adequate\nsecurity.\n\nNASA Policy. NASA policy for grants and cooperative agreements is established in NASA\nProcedures and Guidelines 5800.E, "Grant and Cooperative Agreement Handbook," dated\nOctober 19, 2000. Neither the Handbook nor any of its referenced provisions require\nrecipients of grants or cooperative agreements to meet specific IT security requirements,\nexcept when the recipients handle classified data or must undergo background investigations.\nTo assist the Centers in determining the applicability of the IT security clause to the\ncooperative agreements, NASA published guidance about IT security clause implementation\nin the form of Frequently Asked Questions (FAQ\xe2\x80\x99s).\n\nInclusion of the IT Security Clause\n\nPurchase Orders. The three Centers we reviewed did not include the IT security clause in\napplicable purchase orders. Although FAR Subpart 2.101 considers purchase orders as\ncontracts, PIC 00-12 and PIC 00-25 guidance did not specifically address purchase orders.\nCenter officials said they did not include purchase orders in the review process because\npurchase orders were too numerous to review. Center officials also stated that\n\n\n\n\n                                               5\n\x0cpurchase orders would have expired before the clause could have been inserted in the\npurchase orders. As a result, none of the three Centers included purchase orders in their IT\nsecurity reviews.\n\nWe identified some purchase orders that suggested the need for an IT security clause. Table\n2 contains examples of purchase orders that may be subject to the IT security clause.\n\n  Table 2.   Purchase Order Examples Potentially Subject to the IT Security Clause\nPurchase      Center    Expiratio   Purchase             Description of Work\n  Order                  n Date   Order Value\n Number                           (in millions)\nH32946D      Marshall 10/31/01    $6.7          IFMP* Core Financial Software\nT2351W       Johnson 9/30/01      $1.0          IT Support Services\nS43411G      Goddard 12/31/01     $1.3          Flight Dynamics Navigation Attitude\n                                                and IT\nS38657G Goddard 12/21/01          $6.7          IT Services\nS36205G Goddard 8/26/02           $2.0          Multi-mission Flight Software Support\n* Integrated Financial Management Program.\n\nUntil NASA includes purchase orders in the security review process, it cannot be assured\nthat the Agency will meet GISRA requirements. Further, the Agency\xe2\x80\x99s systems and\ninformation may experience additional security risk.\n\nGrants and Cooperative Agreements. The three Centers we reviewed did not include IT\nsecurity requirements in applicable grants and cooperative agreements. Regarding grants,\nNASA had not published guidance on the inclusion of IT security requirements. Instead,\nNASA required the Centers to manage grants according to the Grant Handbook. The\nHandbook, however, imposed no specific IT security requirements relating to GISRA. Also,\nNASA officials said they believed that the inclusion of security requirements in grants could\nhave the effect of reducing the number of prospective grantees because increased restrictions\nmay discourage some applicants. Regarding cooperative agreements, NASA\xe2\x80\x99s guidance in\nthe form of FAQ\xe2\x80\x99s on the applicability of the clause was unclear. Specifically, the guidance\ninitially required the Centers to include cooperative agreements in their IT security reviews.\nNASA later revised the FAQ guidance to state, as follows: \xe2\x80\x9cDoes the clause apply to\ncooperative agreements? Generally No. But Yes, but only if applicable . . . .\xe2\x80\x9d Lacking\nappropriate guidance, none of the three Centers included grants and cooperative agreements\nin their IT security reviews.\n\nUntil NASA includes IT security requirements in applicable grants and cooperative\nagreements, it cannot be assured that the Agency will meet GISRA requirements. Further,\nthe Agency\xe2\x80\x99s systems and information may experience additional security risk.\n\n\n\n\n                                              6\n\x0cRecommendations, Management\xe2\x80\x99s Response, and Evaluation of Response\n\nThe Associate Administrator, Office of Procurement, in coordination with the Chief\nInformation Officer, should:\n\n      2. Provide guidance to the Centers to include purchase orders, grants, and\ncooperative agreements in their IT security reviews.\n\nManagement\xe2\x80\x99s Response. Concur. Management will implement a review of existing\ncooperative agreements with commercial firms for those agreements subject to anticipated\nrevisions to Section D of the NASA Grant and Cooperative Agreement Handbook. Management\nexpects to complete revisions to the Handbook in October 2001. NASA will also review existing\ngrants with values of $100,000 or more and do not expire within the next 6 months (March 30,\n2002). NASA plans to complete its review of grants by June 30, 2002, which includes time to\ncreate and approve the wording for grant-related IT security requirements. NASA also plans to\nemphasize that Centers should include purchase orders when reviewing existing contracts. This\nguidance will be included in a Web site that provides Centers with answers to FAQ\xe2\x80\x99s (see\nAppendix B).\n\nEvaluation of Response. The actions taken by NASA are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open\nuntil agreed-to corrective actions are completed.\n\n       3. Incorporate IT security requirements as required by GISRA in purchase\norders, grants, and cooperative agreements, where appropriate.\n\nManagement\xe2\x80\x99s Response. Concur. NASA will include the requirement to conduct IT\nsecurity reviews in the revised Section D of the NASA Grant and Cooperative Agreement\nHandbook, which the Agency anticipates publishing in October 2001 as a Proposed Rule.\nNASA will also review existing grants, cooperative agreements and purchase orders to\ndetermine IT security clause applicability (see Appendix B).\n\nEvaluation of Response. The actions taken by NASA are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open\nuntil agreed-to corrective actions are completed.\n\n\n\n\n                                              7\n\x0c                Appendix A. Objectives, Scope, and Methodology\n\nObjectives\n\nOur objectives were to determine whether NASA contracts:\n   \xe2\x80\xa2 reference applicable IT security requirements of GISRA,\n   \xe2\x80\xa2 contain performance metrics requirements for IT security, and\n   \xe2\x80\xa2 consider IT security in award fee plans.\n\nScope and Methodology\n\nWe performed work at Goddard, Johnson, and Marshall. We reviewed their methodology\nand criteria for identifying contracts, grants, cooperative agreements, and purchase orders\nsubject to the IT security clause. We examined the contract files to determine whether the\nCenters added the IT security clause to their applicable contracts.\n\nTo accomplish our objectives, we performed the following:\n\n   \xe2\x80\xa2   To determine how NASA identified and implemented IT security requirements, we\n       interviewed officials from the NASA Office of the Chief Information Officer, NASA\n       Office of Procurement, NASA Principal IT Security Clause Coordinator, Center\n       representatives/coordinators for the IT security clause, Center Offices of the Chief\n       Information Officer and Center IT Security Managers, and contracting officers.\n\n   \xe2\x80\xa2   To obtain an understanding of IT security laws and regulations and NASA policies\n       and procedures relevant to IT security, we reviewed the Government Information\n       Security Reform Act (GISRA); the Government Paperwork Elimination Act, 1998;\n       the Clinger-Cohen Act, 1996; the Government Performance and Results Act, 1993;\n       the Computer Security Act, 1987; the Federal Managers\' Financial Integrity Act,\n       1982; OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n       Information Resources\xe2\x80\x9d; OMB Memorandum M-01-08, \xe2\x80\x9cGuidance on Implementing\n       the Government Information GISRA\xe2\x80\x9d; NASA FAR Supplement Clause 1804.470,\n       \xe2\x80\x9cSecurity Requirements for Unclassified Information Technology Resources\xe2\x80\x9d; NASA\n       Policy Directive 2810.1, \xe2\x80\x9cSecurity of Information Technology\xe2\x80\x9d; NASA Procedures\n       and Guidelines 2810.1, \xe2\x80\x9cSecurity of Information Technology\xe2\x80\x9d; NASA Procedures\n       and Guidelines 5800.E, "Grant and Cooperative Agreement Handbook," dated\n       October 19, 2000; NASA PIC 00-12 and PIC 00-25, dated July 2000 and November\n       2000, respectively; NASA IT Implementation Plan for fiscal years 2001-2005; and\n       NASA Procurement Management Survey Report.\n\n\n\n                                                                                 Appendix A\n\n\n\n\n                                              8\n\x0c   \xe2\x80\xa2   To determine the population of active NASA contracts, purchase orders, grants, and\n       cooperative agreements, we extracted relevant data from the NASA Financial and\n       Contractual Status database for fiscal year 2001.\n\nManagement Controls Reviewed\n\nWe reviewed NASA management controls for identifying and implementing contracts\nsubject to the IT security clause. We considered the management controls to be adequate\nexcept that NASA had not fully complied with all applicable IT security requirements. See\nFindings A and B.\n\nAudit Field Work\n\nWe performed the audit field work from April through June 2001. We conducted the audit in\naccordance with generally accepted government auditing standards.\n\n\n\n\n                                             9\n\x0cAppendix B. Management\xe2\x80\x99s Response\n\n\n\n\n               10\n\x0c     Appendix B\n\n\n\n\n11\n\x0cAppendix B\n\n\n\n\n             12\n\x0c     Appendix B\n\n\n\n\n13\n\x0cAppendix B\n\n\n\n\n             14\n\x0c                        Appendix C. Report Distribution\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nA/Administrator\nAI/Associate Deputy Administrator\nAA/Chief of Staff\nAB/Associate Deputy Administrator for Institutions\nB/Acting Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nC/Associate Administrator for Headquarters Operations\nG/General Counsel\nH/Associate Administrator for Procurement\nHK/Director, Contract Management Division\nHS/Director, Program Operations Division\nJ/Associate Administrator for Management Systems\nJM/Director, Management Assessment Division\nL/Acting Associate Administrator for Legislative Affairs\nM/Associate Administrator for Space Flight\nP/Associate Administrator for Public Affairs\nQ/Associate Administrator for Safety and Mission Assurance\nR/Associate Administrator for Aerospace Technology\nR/Chief Information Officer Representative\nS/Associate Administrator for Space Science\nU/Acting Associate Administrator for Biological and Physical Science\nX/Acting Director, Office of Security Management and Safeguards\nY/Associate Administrator for Earth Science\nZ/Acting Associate Administrator for Policy and Plans\n\nNASA Centers\n\nDirector, Ames Research Center\nDirector, Dryden Flight Research Center\nDirector, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\nDirector, NASA Management Office, Jet Propulsion Laboratory\nActing Director, Lyndon B. Johnson Space Center\nDirector, John F. Kennedy Space Center\n Chief Counsel, John F. Kennedy Space Center\nDirector, Langley Research Center\nDirector, George C. Marshall Space Flight Center\nActing Director, John C. Stennis Space Center\n\n\n\n\n                                            15\n\x0cAppendix C\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President for Science and Technology Policy\nDirector, Office of Management and Budget\nDeputy Director of Management, Office of Management and Budget\nDeputy Associate Director, Energy and Science Division, Office of Management and\n Budget\nBranch Chief, Science and Space Programs Branch, Energy and Science Division, Office\n of Management and Budget\nManaging Director, Acquisition and Sourcing Management Team, General Accounting\n   Office\nAssociate Director, National Security and International Affairs Division, Defense\n Acquisition Issues, General Accounting Office\nSenior Professional Staff Member, Senate Subcommittee on Science, Technology, and Space\n\nChairman and Ranking Minority Member - Congressional Committees and\nSubcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD, and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD, and Independent Agencies\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n Intergovernmental Relations\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations\nHouse Subcommittee on Technology and Procurement Policy\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics\n\n\nCongressional Member\n\nThe Honorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                            16\n\x0cAppendix Major Contributors to the Report\n\nDavid L. Gandrud, Program Director, Information Technology Program Audits\n\nRoger W. Flann, Program Manager\n\nCarl L. Aley, Auditor-in-Charge\n\nRhodora Posey, Auditor\n\nKenneth C. Wood, Auditor\n\nNancy C. Cipolla, Report Process Manager\n\nBetty G. Weber, Operations Research Manager\n\nBarbara J. Smith, Program Assistant\n\x0c'